SUSE-SU-2026:0892-1

CVE-2023-42363: use-after-free vulnerability in xasprintf function in xfuncs_printf.c (bsc#1217580).
CVE-2023-42364: use-after-free in the awk.c evaluate function (bsc#1217584).
CVE-2023-42365: use-after-free in the awk.c copyvar function (bsc#1217585).
CVE-2025-46394: files in a TAR archive can have their filenames hidden from a listing if terminal escape sequences are used when naming other files included in the archive (bsc#1241661).
CVE-2025-60876: request line incorrectly neutralized mat lead to header injection (bsc#1253245).
CVE-2026-26157: Arbitrary file overwrite and potential code execution via incomplete path sanitization (bsc#1258163).
CVE-2026-26158: Arbitrary file modification and privilege escalation via unvalidated tar archive entries (bsc#1258167).
CVE-2021-42380: Additional fix for use-after-realloc in awk (bsc#1192869).

References

Affected packages

Name: busybox
Purl: pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.35.0-10.3.1

{
    "binaries": [
        {
            "busybox": "1.35.0-10.3.1"
        }
    ]
}

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:0892-1.json"

Name: busybox
Purl: pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.35.0-10.3.1

{
    "binaries": [
        {
            "busybox": "1.35.0-10.3.1"
        }
    ]
}

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:0892-1.json"